OWLS-92959: Doc: kubectl port-forward does not allow to access thru WLST in istio-domain for Istio version previous to 1.10 #2713
Conversation
lennyphan
requested review from
ankedia,
rjeberhard,
rosemarymarano and
tbarnes-us
| configured with the following attributes: | ||
| * Protocol defined as `t3`. | ||
| * Listen address defined with `localhost`. | ||
| * Listen port. Note, you should choose a port value that does not conflict with any ports defined |
There was a problem hiding this comment.
Note, you should choose a port -> Note: Choose a port
| * Enable `HTTP` protocol for this network channel. | ||
| * Do _NOT_ set an `external listen address` or `external listen port`. | ||
|
|
||
| For example, here is a snippet of a WebLogic domain `config.xml` file for channel `PortForward` for the Admin Server |
There was a problem hiding this comment.
Period at the end of the sentence. -> ...for the Administration Server.
| </network-access-point> | ||
| </server> | ||
| ``` | ||
| For Model in Image (MII) and Domain Home in Image (DII), here is a snippet model configuration for channel `PortForward` for the Admin Server |
There was a problem hiding this comment.
Domain Home in Image -> Domain in Image
Period at the end of the sentence. -> ...for the Administration Server.
| you must add an additional network channel to the WebLogic Administration Server | ||
| configured with the following attributes: | ||
| * Protocol defined as `t3`. | ||
| * Listen address defined with `localhost`. |
There was a problem hiding this comment.
Have you tested this? I'm pretty sure the introspector WLST generates overrides for every configured listen address on every channel to force it to "DOMAINUID-WLSERVERNAME".
There was a problem hiding this comment.
I did test it. This is only for when you are Istio enabled AND Istio versions prior to 1.10. In the introspector code, we customize naps to set the listen address to 'localhost/127.0.0.1' when Istio is enabled AND Istio requires localhost bindings:
def customizeNetworkAccessPoint(self, nap, listen_address):
# Don't bother 'add' a nap listen-address, only do a 'replace'.
# If we try 'add' this appears to mess up an attempt to
# 'add' PublicAddress/Port via custom sit-cfg.
# FWIW there's theoretically no need to 'add' or 'replace' when empty
# since the runtime default is the server listen-address.
istio_enabled = self.env.getEnvOrDef("ISTIO_ENABLED", "false")
istio_use_localhost_bindings = self.env.getEnvOrDef("ISTIO_USE_LOCALHOST_BINDINGS", "true")
if istio_enabled == 'true' and istio_use_localhost_bindings == 'true':
listen_address = '127.0.0.1'
There was a problem hiding this comment.
So technically, it doesn't matter what you set the listen address to? Why do the new instructions say to set "localhost"? We don't normally advise setting the LA to anything IIRC.
There was a problem hiding this comment.
Yes, technically doesn't matter. I just added the instructions as it does match well in understanding why the channel has to bind listen address as 'localhost' when using Istio versions prior to v1.10 (i.e. istio proxying data to 'localhost'). I'm fine with removing the advice of setting the listen address to 'localhost', if that's the preference.
There was a problem hiding this comment.
OK - now I get it - thanks. I guess it's fine, but I prefer something like:
- Listen address defined with
localhost. (Note that setting the address tolocalhostis solely for self documenting purposes. The address can be set to any value, and the operator will override it to the required value regardless.)
Pre-approving - leaving it up to you to add the additional wording.
| network channel with a `localhost` listen address for each | ||
| existing port. This means that no additional configuration is required | ||
| to enable port forwarding when Istio is enabled. | ||
| you must add an additional network channel to the WebLogic Administration Server |
There was a problem hiding this comment.
Is the additional network channel still needed if user only wants to access console (and not WLST)? I think WLST use-case is not very common and we may want to mention about the additional channel only when WLST access is required.
There was a problem hiding this comment.
Technically, it's not needed if user only wants to access using console. We can update the description to include if online WLST access is required. It is becoming very confusing with all these restrictions so I omitted it as the additional network channel works for both console and online WLST.
There was a problem hiding this comment.
I prefer to be very exact - IMO, it's more confusing not to mention that this is only needed for WLST (but happens to work for console too) - especially as it's more convenient for those that just need console access to skip the extra "configure a NAP step". Please do include the extra wording.
| you must add an additional network channel to the WebLogic Administration Server | ||
| configured with the following attributes: | ||
| * Protocol defined as `t3`. | ||
| * Listen address defined with `localhost`. |
There was a problem hiding this comment.
OK - now I get it - thanks. I guess it's fine, but I prefer something like:
- Listen address defined with
localhost. (Note that setting the address tolocalhostis solely for self documenting purposes. The address can be set to any value, and the operator will override it to the required value regardless.)
Pre-approving - leaving it up to you to add the additional wording.
|
I've made doc changes based on the latest input. Please review again and provide feedback. Thank you. |
| configured with the following attributes: | ||
| * Protocol defined as `t3`. | ||
| * Listen address defined with `localhost`. | ||
| * Listen address defined with `localhost`. (Note: Stting the address to localhost is solely |
| * Protocol defined as `t3`. | ||
| * Listen address defined with `localhost`. | ||
| * Listen address defined with `localhost`. (Note: Stting the address to localhost is solely | ||
| for self documenting purposes. The address can be set to any value, and the operator will override |
There was a problem hiding this comment.
self documenting -> self-documenting
| * Listen address defined with `localhost`. | ||
| * Listen address defined with `localhost`. (Note: Stting the address to localhost is solely | ||
| for self documenting purposes. The address can be set to any value, and the operator will override | ||
| it to the required value regardless.) |
There was a problem hiding this comment.
unnecessary word -> regardless. You can remove it.
| It is not necessary to add an additional network channel, for Istio-enabled domains running Istio | ||
| versions prior to 1.10, to the WebLogic Administration Server if only console access is required . | ||
| {{% /notice %}} | ||
|
|
There was a problem hiding this comment.
suggested re-write:
"For Istio-enabled domains running Istio
versions prior to 1.10, if console only access is required, then it is not necessary to add an additional network channel to the WebLogic Administration Server."
OWLS-92959: Doc: kubectl port-forward does not allow to access thru WLST in istio-domain for Istio version previous to 1.10
OWLS-92959: Doc: kubectl port-forward does not allow to access thru WLST in istio-domain for Istio version previous to 1.10
5 participants
Online WLST cannot successfully connect to the Admin Server via k8s port-forward when the WebLogic domain is integrated with Istio versions prior to v1.10. The generated WebLogic network channels, specifically for use with Istio versions prior to v1.10, define a public listen address that is only resolvable within the k8s cluster and this prevents online WLST from successfully establishing a 't3' connection. Since Istio versions prior to v1.10 are not officially supported (have reached end-of-life), we are updating the documentation for Operator release 3.3.x to describe the additional network channel configuration needed to allow k8s port-forwarding to work when Istio version prior to v1.10 is integrated with the WebLogic domain.